Punishing Those Who Fall for Phishing SchemesDHS CISO Suggests Revoking Security Clearances of Repeat Offenders
Too often, individuals who fail to take the proper steps to secure IT aren't punished for their reckless behavior that leads to a cyberattack. But should those in the trenches, including senior-level personnel, who consistently fail to follow safe cyber hygiene be severely penalized for repeatedly falling for phishing attacks?
See Also: Breaking the Kill Chain
That's an idea floated - though not necessarily endorsed - by Paul Beckman, CISO at the Department of Homeland Security. Speaking at a security summit in Washington last week, Beckman said DHS might consider establishing a policy that employees and contractors who hold security clearances and repeatedly fail anti-phishing tests would lose those security clearances, according to the publication Defense One.
"There are no repercussions to bad behavior. There's no punitive damage, so to speak. There's really nothing to incentivize these people to be aware, to be diligent."
"There are no repercussions to bad behavior," Beckman said. "There's no punitive damage, so to speak. There's really nothing to incentivize these people to be aware, to be diligent."
DHS sends faux phishing emails to employees to test them. Those who open attachments contained in the messages receive online security training. Still, some employees who have taken the training continue to fail the phishing test, Beckman said.
Beckman indicated he wants to discuss with DHS's chief security officer - who's responsible for overall personnel security - the idea of potentially incorporating employees' susceptibility to phishing in broader evaluations of their fitness to handle sensitive information.
"Someone who fails every single phishing campaign in the world should not be holding a TS SCI (top-secret security clearance) with the federal government," he said. "You have clearly demonstrated that you are not responsible enough to responsibly handle that information."
Beckman's idea comes in the wake of the breach earlier this year of Office of Personnel Management computers, which supposedly exploited a phishing attack to pilfer credentials used to gain access to highly sensitive personal information of more than 21 million individuals, many with security clearances.
Still, Beckman's thinking isn't universally accepted. Robert Bigman, the former longtime CISO at the CIA, characterizes as "ridiculous" the idea of stripping employees who fail phishing tests of their security clearances.
Bigman says many phishing attacks are created in a way that they can easily fool many employees. "If you mishandle classified information on purpose, that's grounds for firing someone," he says. "But if someone makes a mistake like that, I mean, come on."
Small Aspect of Overall Security
Besides, Bigman contends, phishing attacks aren't a major threat to the exposure of the government's top secrets, though the mischief could reveal unclassified but sensitive information. "It's such a small aspect of the overall [security] problem," he says.
Revoking security clearances of an employee with critical knowledge and skills could endanger national security, even if he or she continuously flunks phishing tests. That consequence could prove greater than the damage caused by clicking on an attachment in a phishing email.
But Beckman should be credited with raising the idea of individual responsibility in preventing vulnerabilities, and for starting the discussion on how to handle those who don't take cyber hygiene seriously. It's a conversation worth having. What are your thoughts? Share your comments in the box below.